legal tracker product content · • users are added in tracker, and user names and passwords are...

© 2018 Thomson Reuters

Legal Tracker™ Product Content

SAML 2.0 authentication – manual provisioning

This document provides an overview of current Legal Tracker authentication

methods and the new authentication framework, with a more detailed look at SAML

2.0 authentication, manual provisioning, and how to make the change from your

current authentication method to SAML.

Tracker Coordinators will find a sample user notification message that they can

customize for their company, and other content that can be included with the

notification emails to help users understand the new sign-in experience.

Last updated: 19 Nov 2018

LEGAL TRACKER PRODUCT CONTENT

SAML 2.0 authentication – manual provisioning

2

Contents

Authentication methods in Tracker today ........................................................................................................................... 1

Tracker account .............................................................................................................................................................. 1

OnePass ......................................................................................................................................................................... 1

AAD ................................................................................................................................................................................. 1

New Tracker authentication framework .............................................................................................................................. 1

Identity provider / SSO support ...................................................................................................................................... 1

SAML .............................................................................................................................................................................. 1

SAML manual provisioning in Tracker ............................................................................................................................ 2

PHASED rollout AND timeline ........................................................................................................................................ 2

Adopting SAML authentication ........................................................................................................................................... 3

Configuration .................................................................................................................................................................. 3

Discrete Testing .............................................................................................................................................................. 3

Messaging ...................................................................................................................................................................... 3

Enablement ..................................................................................................................................................................... 3

User Experience ............................................................................................................................................................. 4

Appendix 1 – User Notification Message Template ............................................................................................................ 6

Appendix 2 - New User Experience .................................................................................................................................... 7

Existing Users – First Sign in .......................................................................................................................................... 7

Existing Users – Subsequent Sign ins ............................................................................................................................ 8

New Users ...................................................................................................................................................................... 9

Reset Password .............................................................................................................................................................. 9

Sign Out .......................................................................................................................................................................... 9

Session expiration ........................................................................................................................................................ 10

Appendix 3 – New-user email example ............................................................................................................................ 11

Appendix 4 - Assign an Application in OKTA ................................................................................................................... 12

Appendix 5 - FAQs ........................................................................................................................................................... 13

Appendix 6 - Glossary ...................................................................................................................................................... 15


SAML 2.0 authentication – manual provisioning 1

Authentication methods in Tracker today

Companies who use Tracker currently sign in by using one of these authentication methods:

• Tracker account

• OnePass

• Azure Active Directory (Azure AD, AAD)

TRACKER ACCOUNT

• Users are added in Tracker, and user names and passwords are stored securely in the Tracker database.

• Company users enter their user name and password on a Tracker sign-in page to begin using Tracker.

ONEPASS

• Law firm users are required to use OnePass to sign in to Tracker.

• OnePass allows users to sign in to multiple Thomson Reuters® products and websites with a single user name and password.

• When a new user is created in Tracker, Tracker sends that user an email that includes a link to register the account.

• Users can create their own OnePass accounts, and the user names and passwords are stored by OnePass.

• The Tracker sign-in page redirects company users to the OnePass sign-in page so that all company users are authenticated by OnePass before they begin using Tracker.

AAD

• Active Directory integration lets customers use their existing company-issued credentials, identity provider (IdP), single sign-on (SSO) provider, and Active Directory to manage user access, authentication, and user adding/deactivating in Legal Tracker.

• The Tracker start page redirects company users to their company-managed sign-in page so that all company users are

authenticated by the company system before they access Tracker.

• Company users sign in to Tracker by using their company-issued credentials, which are authenticated by the company’s identity or SSO provider. Companies can add and deactivate company users with their existing onboarding processes and tools.

• AAD integration provides a single, automated, auditable user adding and deactivating process. User identity attributes (including name, address, phone number, email address) in Tracker are synchronized from Active Directory.

New Tracker authentication framework

IDENTITY PROVIDER / SSO SUPPORT

More and more companies today want to streamline access to different business systems for their users in a simple and unified

way—without a proliferation of user names and password. Tracker account and OnePass authentication methods that involve

unique account user names and passwords, don’t align well with this objective. Other companies aren’t using Microsoft products or

AAD, but may have selected an Identity provider (IdP) to perform SSO.

To give these companies the simpler sign-in experience they’re looking for, Legal Tracker has added SAML as an authentication

that supports modern identity solutions and SSO.

SAML

Security Assertion Markup Language, or SAML, is an open standard for exchanging authentication and authorization data between

parties: an identity provider and a service provider. As its name implies, SAML is an XML-based markup language for security

assertions (statements that service providers use to make access-control decisions).



The single most important use case that SAML addresses is web browser single sign-on (SSO).

SAML MANUAL PROVISIONING IN TRACKER

SAML authentication lets companies extend their IdP (for example, OKTA) to Tracker, and bypass classic Tracker account sign-ins.

The company’s IdP manages user names and passwords. Users must have both a valid Tracker account and a valid IdP user

account to be able to sign in to Tracker.

If the company is already using Tracker, no further action is needed for existing users, other than to message those users about the

change. See the Messaging section for more information.

For new users, an authorized Tracker company user, typically the Tracker Coordinator, will need to manually create user accounts

in Tracker.

PHASED ROLLOUT AND TIMELINE

To help drive adoption, SAML authentication will be rolled out on a progressive timeline that includes these phases:

• Build an agnostic B2C tenant as the foundation of the solution and controller of all authentication requests to Tracker

(completed in Summer 2018)

• Deliver SAML 2.0 support with manual provisioning to add and deactivate users (completed in Summer 2018)

• Deliver SAML 2.0 just-in-time (JIT) provisioning MVP (delivered in Tracker 2018 R3, November 2018)

• Deliver SAML 2.0 JIT advanced features (H1 2019)

• Extend the support SAML 2.0 support with manual provisioning to Tracker for Outlook (H1 2019)



Adopting SAML authentication Adopting SAML as a Tracker company authentication method is accomplished in these phases:

• Configuration

• Discrete testing

• Messaging

• Enablement

Note: Filezone does not support SAML 2.0. When considering the change to SAML 2.0 authentication, be

aware that Filezone will no longer be available to company users

CONFIGURATION

The company’s identity provider (IdP), for example OKTA, will access Tracker through the B2C tenant.

Thomson Reuters will complete a one-time configuration of the B2C tenant with the company’s IdP URL, and assign a unique

company ID.

The company also completes a one-time configuration for where the assertion is sent to the IdP.

DISCRETE TESTING

This step in the process is optional, but it is recommended to ensure that the configuration has been completed successfully.

The company can designate 1-5 existing Tracker users to test the new sign-in experience with SAML and your IdP.

A Client Success Manager or Tracker Support will provide those users with the Tracker URL, which redirects them sign in with the

company IdP.

Note: The designated users will see the same user experience as company users will after SAML is enabled. Some IdPs may

require that the discrete users have all related permissions set in the IdP. For example, with OKTA, the user must have Legal

Tracker assigned as an application (see Appendix 4 for more details).

If needed, discrete testers can have authentication reset to their company’s default method by contacting the Tracker Support.

Discrete testing is conducted securely in the Legal Tracker production instance only. There is no provision for a sandbox at this

time. If discrete testers fail to authenticate using SAML, then they can still sign in to Tracker by using their existing credentials.

MESSAGING

While discrete testing is in progress, companies might want to start thinking about how to message users prior to enabling SAML

authentication. Even though users are familiar with using their company’s single sign-on, they have not used it to sign in to Tracker.

We recommend messaging users a few days in advance of enabling SAML authentication for Tracker, taking national and

international holidays into account. In Appendix 1 we provide a message template that can be customized for the company’s IdP

and configuration. In Appendix 2, we also provide documentation and screenshots of the user experience that can be customized

and attached to messages sent to users.

ENABLEMENT

When discrete testing is concluded and an enablement date selected, companies will work with a Client Success Manager or

Tracker Support to enable SAML for all company users on that date. The CSM or Tracker Support will enable SAML in Tracker

Settings > Password and Sign-in Options, and confirm the company’s support contact email address.

The support contact information is needed so that Tracker can generate friendly messages to company users about who to contact if

there are problems with their user accounts, because user names and passwords are managed by the IdP rather than Tracker.



USER EXPERIENCE

Users will need to be manually provisioned and deactivated by a company administrator in Tracker. After the company is configured

within the B2C tenant, SAML is enabled, and users in Tracker are provisioned by the company administrator, the mapping between

the company IdP and Legal Tracker through the B2C tenant happens dynamically with the user’s email address and the unique

company ID.

Note: For the very first sign-in, it’s a good idea to verify that the user’s email address in Tracker corresponds to the user’s email

address in the IdP.

To access Tracker, company users will need to have a valid company IdP account and a valid Tracker account. Possible user sign-

in experiences are as follows:

• Users with a valid IdP account but not a valid Tracker account will be prompted with an informational message and will not be able to access Tracker.

• Existing users who access Tracker by using the Tracker URL will be redirected to the company’s IdP sign-in page, where they will enter their credentials and then go to their Tracker home page.

• New users will receive a Tracker welcome email that includes the Tracker URL, which takes them to the IdP sign-in page where they enter credentials and then see the Tracker welcome page.

• In some cases, depending on the company’s IdP configuration and/or use of cookies, users may see a Tracker sign-in page first, where they can click Continue and be redirected to the IdP sign-in page.

Note: If users are decommissioned in the company’s IdP but not manually deactivated in Tracker, they will have no access to

Tracker, as the SSO would block the sign in (Tracker authentication is performed through the IdP).



Appendix 1 – User Notification Message Template

This template can be customized for the company and IdP. The attached document this email refers to is shown in

Appendix 2.

Dear {User First Name Last name}

From {date} we will be introducing a Single Sign On (SSO) to Legal Tracker for a seamless sign-in experience.

Therefore, you will be prompted {our company IdP} when signing in to Legal Tracker.

Please enter the user name and password that you normally use to sign in to your {company systems} or {our

company IdP}

If you have the Legal Tracker URL bookmarked, you do not need to take any action after the above-mentioned date

as it will continue working as it currently does.

Overall the workflows in Tracker are unaffected by the switch to SSO, but please note the following few changes to

your user experience:

• Should you wish to reset your password, please do it in {our company IdP} or contact {our company IdP Administrator}

• User name and password will no longer be managed by Legal Tracker, but by {our company IdP}

• If your Legal Tracker session times out, you will be prompted with a new session expiration page and by selecting Continue, you will be signed back in Tracker

If you have not signed in to Legal Tracker in the last {Tracker company settings/ Password and Sign-In Options

Inactivity days} you will be prompted an error message upon sign in as your Tracker account is now locked. Kindly

contact your Tracker Coordinator {Tracker Coordinator e-mail} so that your account can be un-locked.

Please refer to the attached document to find out more details about the upcoming changes to your Legal Tracker

sign-in experience.

If you have any questions, please contact your Tracker Coordinator {Tracker Coordinator e-mail}.

Kind Regards,

{Tracker Coordinator First Name Last Name}



Appendix 2 - New User Experience

EXISTING USERS – FIRST SIGN IN

Any existing user is likely to follow the workflow below.

Legal Tracker sign-in After email address is entered (if not pre-

populated by cookie), clicking Continue will take

user to IdP sign-in page

Company IdP Substitute with company’s IdP sign-in

page

Legal Tracker Substitute with your company’s

Action/Dashboard page if needed



EXISTING USERS – SUBSEQUENT SIGN INS

Most users will follow the workflow below after the very first sign-in using the IdP. However, depending on company IdP

configurations and user bookmarks to Tracker, user might go directly to the bookmarked Tracker page, without having to re-enter

their IdP credentials.

Company IdP Substitute with company’s IdP sign-in

page

Legal Tracker Substitute with company’s

Action/Dashboard page if needed



NEW USERS

New users will still receive a welcome email from Tracker with the Tracker URL. No temporary user name or password is included in

the email as they are now managed by the IdP. See Appendix 3 for a sample of the new welcome email to SAML users.

When users click the URL in the welcome email, they will be redirected to the company’s IdP sign-in page.

After signing in to Tracker by using the company SSO for the first time, they will see the Legal Tracker Welcome & Terms of Use

page followed by User Profile page and Print Quick Reference Guide page, prior accessing the Tracker home page.

RESET PASSWORD

The Change Password action is no longer available in Tracker because the password is now managed by the IdP.

SIGN OUT

Upon sign out in Tracker, the user is redirected to the sign-out page. The user can click the Sign In button to sign

in to Tracker again by using the company’s IdP and SSO.

Commented [SN(1]: The screenshot was explicitly requested by both Disney and Amex so that they can relate to what a new user sees and the different pages presented to a new user.



SESSION EXPIRATION

If a user’s session expires for inactivity, the user is redirected to session expiration page as shown below. The user

can click the Continue button to sign in again by using the company’s IdP and SSO.



Appendix 3 – New-user email example

The new user is provided with the Tracker URL and instructions to sign in with the company user name and password that is

associated with the user’s email address.



Appendix 4 - Assign an Application in OKTA

When adding or updating users, ensure that you check that Legal Tracker has been assigned as an application.

1. Click the Assign Application button

2. On the assign Application page, select Legal Tracker and click on the Assign button.

3. Click the button Done when assignment is completed.

.



Appendix 5 - FAQs

QUESTION ANSWER

What will happen to firm users? Firm users are assimilated to local users. Refer to the OnePass section in the document. Note that we plan to transition firm users to the new architecture in 2019.

Can firms take advantage of SAML or AAD? At this time, we do not envision providing support to firms for SAML or AAD. However, this is under consideration for future development depending on other roadmap and market priorities.

Who can I contact to discuss transitioning from my company’s current authentication to the new architecture?

Please contact Tracker Support or your Client Success Manager.

My company would like to implement SAML SSO. What do we need to do?

With the new architecture, authentication is routed via IdP. Therefore, if SSO is supported by your IdP, you will be able to take advantage of it.

Note: For 2018, only companies who use Tracker account authentication can transition to SAML SSO.

How long does it take to transition to SAML 2.0 in Tracker? It all depends on how quickly your company’s IT department can complete the configuration phase, how long you want the discrete phase to last and how much notice you would like to give to your users for the switch over with the messaging.

Typically, the configuration phase can be accomplished in a couple of days, the discrete testing can be 1-3 days, and the notice period is really variable depending on company practice but can be anything between 1 to 3 weeks.

My company is currently using OnePass but we would like to transition to SAML 2.1 asap so that the user sign in is completely unified and streamlined. What do we need to do?

It is possible to transition from OnePass to SAML 2.0.

Please contact Tracker Support or your Client Success Manager.

We are currently considering the AAD integration. What are options with the SAML support?

AAD is an IdP and therefore it is possible to take advantage of SAML for Tracker authentication without opting for the full AAD integration.

My company is currently using OnePass SSO. How would we be affected?

In early 2019, existing OnePass and AAD companies will be transitioned transparently to the B2C tenant without changing the authentication method. More details will be communicated at a later time.

We are currently using or planning to use Tracker for Outlook and would like to take advantage of SAML 2.0 as well. Is there any concern that we should be aware of?

Tracker for Outlook authentication will be enhanced to support SAML and the B2C tenant authentication architecture in a later phase.

B2C tenant support in Tracker for Outlook is currently targeted for 2019 H1. Therefore we recommend that you either:

• Wait to start using Tracker for Outlook until then, if you are already using Tracker with SAML 2.0

• Wait to transition to SAML 2.0 if you are already using Tracker for Outlook

Commented [SN(2]:



My company has two separate Tracker databases that share the same domain name. Can we implement SAML for both accounts?

No. This scenario is currently not in scope for the first SAML authentication phases.



Appendix 6 - Glossary

TERM DESCRIPTION

API Application programming interface.

IdP (also IDP) Identity provider (for example, OKTA and Microsoft AAD).

Local user A user who has an identity in, and is authenticated by the B2C tenant. User attributes are managed in Tracker and pushed to the B2C tenant if required. These can be company, firm, or Thomson Reuters users.

Managed user A user who has an identity in the B2C tenant that is associated with an external IDP/SSO system, and solely authenticated by that system. User attributes are provided by the external IDP/SSO and Tracker is updated with those values. Where user attribute values are missing, Tracker provides defaults. For V1.0, only company and Thomson Reuters users can be managed users.

Web services user A forms-based credential issued by Tracker for use with certain Tracker APIs. User sign-in is authenticated by Tracker. Tracker product access will be revoked for these users, and a password reset scheme will be in added for these user types. This credential cannot be managed by an external IDP/SSO system.

legal tracker product content · • users are added in tracker, and user names and passwords are...

Documents